Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.
New Report: Speed and Security Are Both Possible in Software Development - Part 2
August 20, 2020
According to Forrester research, of 40 university computer science programs in the US, not one requires students to take secure coding or secure application design courses. That piece of the cyber skills gap means such training is often left up to individual teams.
Developers are not, and should not be expected to be, security experts.
Start with New Report: Speed and Security Are Both Possible in Software Development - Part 1
But to make DevSecOps more effective and address both the speed and security pressures, development and security teams need to understand each other better. For developers, that means understanding how applications can be exploited — the OWASP Top 10 is a good start.
ESG listed other elements of the most effective AppSec programs, several of which include better security awareness for developers. They include:
■ Application security best practices are formally documented.
■ Application security training is included as part of the ongoing development security training program.
■ Development managers are responsible for communicating best practices to developers.
■ A high percentage of developers participate in formal application security training programs.
■ Security issue introduction is tracked for individual development teams.
Then there is the technology piece, a major part of which is security testing tools.
Tools are crucial to finding design flaws, vulnerabilities in code and open source defects and licensing conflicts. Most organizations use multiple tools, but some of them have gone overboard — way overboard.
ESG reported more than a year ago that organizations on average run 25 to 49 security tools from up to 10 different vendors. There's an industry term for it — "tool sprawl." And it can slow productivity and lead to higher overall costs — the very things a good mix of security tools should help development teams avoid.
Analysts like Forrester and 451 Research have reported on tool sprawl in the past year, noting that as many as 40% of organizations admit that their development teams are so overwhelmed by security alerts that they can't respond to at least 25% of them. Indeed, when security alerts are so constant, they become background "noise" and are ignored — the exact opposite of the intent.
Survey respondents are aware of the problem. "Nearly one-third of organizations are … planning future investment to consolidate and simplify their tools proliferation," the report said.
So, clearly one part of the solution is DevOps integration — finding the right mix of tools that can work together and are easy for developers to use. ESG found that, for organizations seeking to improve the security of their software, "the most common challenge with their current tools is that their developers lack the knowledge to (mitigate identified security issues)."
The other part is automation. "Most believe that automating application security testing throughout the SDLC can make the biggest impact on the success of their program. DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner," the report said.
The obvious goal is to build both security and speed into the SDLC. And based on the survey results, organizations are willing to invest to achieve that. More than half reported plans to "significantly increase spending on application security over the prior year."
Which means there is at least a chance that at some point in the future, the market will indeed get software-powered products that are the latest, greatest — and also the safest.
Industry News
August 29, 2024
Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.
August 28, 2024
Broadcom unveiled VMware Cloud Foundation (VCF) 9, the future of VCF that will accelerate customers’ transition from siloed IT architectures to a unified and integrated private cloud platform that lowers cost and risk.
August 27, 2024
Broadcom announced VMware Tanzu Platform 10, a cloud native application platform that accelerates software delivery, providing platform engineering teams enhanced governance and operational efficiency while reducing toil and complexity for development teams.
August 26, 2024
Red Hat announced the general availability of Red Hat OpenStack Services on OpenShift, the next major release of Red Hat OpenStack Platform.
August 26, 2024
Salesforce announced new innovations in Slack that make it easier for users to build automations, no matter their technical expertise.
August 26, 2024
GitLab announced the general availability of the GitLab Duo Enterprise add-on.
August 26, 2024
Tigera now delivers universal microsegmentation capabilities with Calico.
August 22, 2024
Tabnine announced a new platform partnership with Broadcom Inc., an integration with IBM, as well as continuing extensions of existing partnerships with Amazon Web Services (AWS), DigitalOcean, Google Cloud, and Oracle Cloud Infrastructure (OCI).
August 22, 2024
Wallarm released API Attack Surface Management (AASM), an agentless technology to help organizations identify, analyze, and secure their entire API attack surface.
August 21, 2024
LambdaTest launched KaneAI, an end-to-end software AI Test Agent.
August 20, 2024
Kubiya has closed its $12 million seed round with a $6 million extension of equity and debt financing and launched a paradigm-breaking new platform, AI Teammates, that enables true delegation of complex tasks to digital colleagues through organic, human-like conversations.
August 19, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the schedule for KubeCon + CloudNativeCon North America 2024, happening in Salt Lake City, Utah from November 12 – 15.
August 19, 2024
Diagrid announced the latest version of Dapr, a Cloud Native Computing Foundation incubating project maintained by Diagrid, Microsoft, Intel, Alibaba, and others, as well as an update to Conductor, a Software as a Service (SaaS) that helps manage, upgrade, and monitor Dapr on Kubernetes clusters.
August 15, 2024
Spectro Cloud announced two new formal recognitions of its strengthening position in the government technology space: the Government Software competency from AWS, and ‘Awardable’ status on the CDAO Tradewinds Solutions Marketplace for AI/ML solutions at the tactical edge.
